Update to upstream version 1.1.0
This patch also fixes the computation of self-check .hmac files. Before, fipshmac was used for all binaries but since the hmaccalc tools use different parameters (SHA-512 instead of SHA-256 and a different key, this would lead to self-check failures for hmaccalc. The new post-install script calculates the hmaccalc files using sha512hmac and other .hmac files using fipshmac. The parameters for the self-check of the library were also consolidated upstream to use a single parameter set across tools (the fipscheck parameters) so that the library is checked correctly by all tools. I also dropped the kcapi-hasher binary and the hasher subpackage as it is really useless on its own (and the other hasher tools are always created as hard links). It would also be impossible to add a universally correct .hmac file since different tools would check against it with different parameters.
This commit is contained in:
parent
3440cb3784
commit
955e81c3c4
4
.gitignore
vendored
4
.gitignore
vendored
@ -1 +1,3 @@
|
||||
/libkcapi-1.0.3.tar.xz
|
||||
/libkcapi-*.tar.xz
|
||||
/libkcapi-*.tar.xz.asc
|
||||
/*.src.rpm
|
||||
|
@ -1,39 +0,0 @@
|
||||
From f2ea3459e4d9e2f989bbc5fa5045bdac1742af9b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
|
||||
Date: Sat, 31 Mar 2018 15:28:06 +0200
|
||||
Subject: [PATCH] Makefile: Do not clobber pkgconfig-dir from configure
|
||||
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
configure.ac | 5 +++++
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 8e195b6..15eadb1 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -24,7 +24,7 @@ man_MANS =
|
||||
|
||||
DOC_TARGETS =
|
||||
|
||||
-pkgconfigdir=$(libdir)/pkgconfig
|
||||
+pkgconfigdir = @pkgconfigdir@
|
||||
pkgconfig_DATA = libkcapi.pc
|
||||
|
||||
if DISABLE_LIB_SYM
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index aa89eef..b9554d1 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -122,6 +122,11 @@ if test "$with_lib_kpp" = "yes"; then
|
||||
fi
|
||||
|
||||
PKG_INSTALLDIR
|
||||
+if test "x$pkgconfigdir" = "x"; then
|
||||
+ pkgconfigdir = "${libdir}/pkgconfig"
|
||||
+fi
|
||||
+AC_SUBST([pkgconfigdir], [$pkgconfigdir])
|
||||
+
|
||||
AC_CONFIG_FILES([libkcapi.pc])
|
||||
|
||||
AC_OUTPUT
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,34 @@
|
||||
From 3a860a5d5231e4912d4611397752f2010467a578 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Mon, 16 Apr 2018 19:35:57 +0200
|
||||
Subject: [PATCH] kcapi-hasher: Fix FIPS self-check always failing
|
||||
|
||||
---
|
||||
apps/kcapi-hasher.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 861db79..a5e9c71 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -583,6 +583,7 @@ static int process_checkfile(const struct hash_params *params,
|
||||
if (ret >= 0)
|
||||
ret++;
|
||||
}
|
||||
+ checked_any = 1;
|
||||
} else {
|
||||
/*
|
||||
* fipscheck does not have the filename in the check
|
||||
@@ -591,11 +592,10 @@ static int process_checkfile(const struct hash_params *params,
|
||||
if (targetfile) {
|
||||
ret = hasher(handle, params, targetfile,
|
||||
hexhash, hexhashlen + 1, stdout);
|
||||
+ checked_any = 1;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
-
|
||||
- checked_any = 1;
|
||||
}
|
||||
|
||||
out:
|
@ -0,0 +1,373 @@
|
||||
From 1ce0b18e588e226f4e9dcc3897236ae938b9d4dd Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 18 Apr 2018 10:03:49 +0200
|
||||
Subject: [PATCH 1/4] kcapi-hasher: Use consistent lib self-check params
|
||||
|
||||
Since the various hasher tools use different HMAC parameters (hash,
|
||||
key) and they all need to check the libkcapi library, it is necessary
|
||||
to use a consistent set of parameters for the library itself.
|
||||
|
||||
This patch changes the behavior to always check the library using the
|
||||
fipscheck hash and key.
|
||||
---
|
||||
apps/kcapi-hasher.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 480a019..1d76e1d 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -611,7 +611,8 @@ static int process_checkfile(const struct hash_params *params,
|
||||
|
||||
}
|
||||
|
||||
-static int fipscheck_self(const struct hash_params *params, int just_print)
|
||||
+static int fipscheck_self(const struct hash_params *params_bin,
|
||||
+ const struct hash_params *params_lib, int just_print)
|
||||
{
|
||||
char *checkfile = NULL;
|
||||
uint32_t n = 0;
|
||||
@@ -668,7 +669,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
|
||||
}
|
||||
|
||||
if (just_print) {
|
||||
- ret = hash_files(params, names, 1, 0, 1);
|
||||
+ ret = hash_files(params_bin, names, 1, 0, 1);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -678,7 +679,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
|
||||
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
@@ -710,7 +711,7 @@ static int fipscheck_self(const struct hash_params *params, int just_print)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ret = process_checkfile(params, checkfile, selfname, CHK_STATUS);
|
||||
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
|
||||
|
||||
out:
|
||||
if (checkfile)
|
||||
@@ -1010,7 +1011,8 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (fipscheck_self(params_self, print_self_hash)) {
|
||||
+ /* library self-check must be consistent across apps: */
|
||||
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
|
||||
fprintf(stderr, "Integrity check of application %s failed\n",
|
||||
basen);
|
||||
ret = 1;
|
||||
|
||||
From c69e77d4abd5b77a3f396abb816af1df8c9a7733 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 18 Apr 2018 11:59:11 +0200
|
||||
Subject: [PATCH 2/4] Makefile.am: Properly install checksum files
|
||||
|
||||
---
|
||||
Makefile.am | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index ed724fe..07e2451 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -139,16 +139,25 @@ EXTRA_bin_kcapi_hasher_DEPENDENCIES = libtool
|
||||
|
||||
SCAN_FILES += $(bin_kcapi_hasher_SOURCES)
|
||||
|
||||
-kcapi_hasher_links = sha1sum sha224sum sha256sum sha384sum sha512sum \
|
||||
- md5sum fipscheck fipshmac \
|
||||
- sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
|
||||
+hasher_links_fc = sha1sum sha224sum sha256sum sha384sum sha512sum \
|
||||
+ md5sum fipscheck fipshmac
|
||||
+hasher_links_hc = sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
|
||||
+hasher_links = $(hasher_links_fc) $(hasher_links_hc)
|
||||
+
|
||||
+CHECKSUM_CMD_FC = $(OPENSSL) sha256 -r -hmac orboDeJITITejsirpADONivirpUkvarP
|
||||
+CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
|
||||
|
||||
install-exec-hook:
|
||||
(cd $(DESTDIR)$(bindir) && \
|
||||
- ($(foreach link, $(kcapi_hasher_links), $(LN) -f kcapi-hasher $(link);)))
|
||||
+ ($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
|
||||
if HAVE_OPENSSL
|
||||
(cd $(DESTDIR)$(bindir) && \
|
||||
- ($(foreach link, $(kcapi_hasher_links), $(OPENSSL) sha256 -hmac orboDeJITITejsirpADONivirpUkvarP $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);)))
|
||||
+ ($(foreach link, $(hasher_links_fc), \
|
||||
+ $(CHECKSUM_CMD_FC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);) \
|
||||
+ $(foreach link, $(hasher_links_hc), \
|
||||
+ $(CHECKSUM_CMD_HC) $(link) > $(CHECK_PREFIX)$(link).$(CHECK_SUFFIX);):))
|
||||
+ ($(foreach lib, $(wildcard $(DESTDIR)$(libdir)/libkcapi.so*), \
|
||||
+ $(CHECKSUM_CMD_FC) $(lib) > $(CHECK_PREFIX)$(lib).$(CHECK_SUFFIX);):)
|
||||
endif
|
||||
endif
|
||||
|
||||
|
||||
From a90c618490385d9d6214dd4918dd679b0be0df9f Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 18 Apr 2018 12:17:59 +0200
|
||||
Subject: [PATCH 3/4] kcapi-hasher: Add -L option for completeness
|
||||
|
||||
Since kcapi-hasher also checks the checksum of the libkcapi library, add
|
||||
-L option to print the checksum of the library.
|
||||
---
|
||||
apps/kcapi-hasher.c | 130 ++++++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 75 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 1d76e1d..7890060 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -114,7 +114,7 @@ static void usage(char *name, int fipscheck)
|
||||
const char *base = basename(name);
|
||||
fprintf(stderr, "\n%s - calculation of hash sum (Using Linux Kernel Crypto API)\n", basename(name));
|
||||
fprintf(stderr, "\nUsage:\n");
|
||||
- fprintf(stderr, "\t%s [OPTION]... -S\n", base);
|
||||
+ fprintf(stderr, "\t%s [OPTION]... -S|-L\n", base);
|
||||
if (fipscheck)
|
||||
fprintf(stderr, "\t%s [OPTION]... FILE\n", base);
|
||||
else {
|
||||
@@ -123,6 +123,7 @@ static void usage(char *name, int fipscheck)
|
||||
}
|
||||
fprintf(stderr, "\nOptions:\n");
|
||||
fprintf(stderr, "\t-S --self-sum\t\tPrint checksum of this binary and exit\n");
|
||||
+ fprintf(stderr, "\t-L --self-sum-lib\tPrint checksum of the libkcapi library and exit\n");
|
||||
if (!fipscheck)
|
||||
fprintf(stderr, "\t-c --check FILE\t\tVerify hash sums from file\n");
|
||||
fprintf(stderr, "\t-u --unkeyed\t\tForce unkeyed hash\n");
|
||||
@@ -611,8 +612,13 @@ static int process_checkfile(const struct hash_params *params,
|
||||
|
||||
}
|
||||
|
||||
+/* self-check modes: */
|
||||
+#define SELFCHECK_CHECK 0
|
||||
+#define SELFCHECK_PRINT_SELF 1
|
||||
+#define SELFCHECK_PRINT_LIB 2
|
||||
+
|
||||
static int fipscheck_self(const struct hash_params *params_bin,
|
||||
- const struct hash_params *params_lib, int just_print)
|
||||
+ const struct hash_params *params_lib, int mode)
|
||||
{
|
||||
char *checkfile = NULL;
|
||||
uint32_t n = 0;
|
||||
@@ -626,9 +632,9 @@ static int fipscheck_self(const struct hash_params *params_bin,
|
||||
void *dl = NULL, *sym;
|
||||
|
||||
#ifdef HAVE_SECURE_GETENV
|
||||
- if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
|
||||
+ if (secure_getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
|
||||
#else
|
||||
- if (getenv("KCAPI_HASHER_FORCE_FIPS") || just_print) {
|
||||
+ if (getenv("KCAPI_HASHER_FORCE_FIPS") || mode != SELFCHECK_CHECK) {
|
||||
#endif
|
||||
fipsflag[0] = 1;
|
||||
} else {
|
||||
@@ -660,58 +666,68 @@ static int fipscheck_self(const struct hash_params *params_bin,
|
||||
}
|
||||
|
||||
/* Integrity check of our application. */
|
||||
- memset(selfname, 0, sizeof(selfname));
|
||||
- selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
|
||||
- if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
|
||||
- fprintf(stderr, "Cannot obtain my filename\n");
|
||||
- ret = -EFAULT;
|
||||
- goto out;
|
||||
- }
|
||||
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_SELF) {
|
||||
+ memset(selfname, 0, sizeof(selfname));
|
||||
+ selfnamesize = readlink("/proc/self/exe", selfname, BUFSIZE);
|
||||
+ if (selfnamesize >= BUFSIZE || selfnamesize < 0) {
|
||||
+ fprintf(stderr, "Cannot obtain my filename\n");
|
||||
+ ret = -EFAULT;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- if (just_print) {
|
||||
- ret = hash_files(params_bin, names, 1, 0, 1);
|
||||
- goto out;
|
||||
- }
|
||||
+ if (mode == SELFCHECK_PRINT_SELF) {
|
||||
+ ret = hash_files(params_bin, names, 1, 0, 1);
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- checkfile = get_hmac_file(selfname);
|
||||
- if (!checkfile) {
|
||||
- ret = -ENOMEM;
|
||||
- goto out;
|
||||
- }
|
||||
+ checkfile = get_hmac_file(selfname);
|
||||
+ if (!checkfile) {
|
||||
+ ret = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
|
||||
- if (ret)
|
||||
- goto out;
|
||||
+ ret = process_checkfile(params_bin, checkfile, selfname, CHK_STATUS);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
/* Integrity check of shared libkcapi.so file. */
|
||||
- memset(selfname, 0, sizeof(selfname));
|
||||
- snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
|
||||
- KCAPI_MAJVERSION);
|
||||
- dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
|
||||
- if (dl == NULL) {
|
||||
- fprintf(stderr, "dlopen of file %s failed\n", selfname);
|
||||
- ret = -EFAULT;
|
||||
- goto out;
|
||||
- }
|
||||
+ if (mode == SELFCHECK_CHECK || mode == SELFCHECK_PRINT_LIB) {
|
||||
+ memset(selfname, 0, sizeof(selfname));
|
||||
+ snprintf(selfname, (sizeof(selfname) - 1), "libkcapi.so.%u",
|
||||
+ KCAPI_MAJVERSION);
|
||||
+ dl = dlopen(selfname, RTLD_NODELETE|RTLD_NOLOAD|RTLD_LAZY);
|
||||
+ if (dl == NULL) {
|
||||
+ fprintf(stderr, "dlopen of file %s failed\n", selfname);
|
||||
+ ret = -EFAULT;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- memset(selfname, 0, sizeof(selfname));
|
||||
- sym = dlsym(dl, "kcapi_md_init");
|
||||
- if (sym == NULL || !dladdr(sym, &info)) {
|
||||
- fprintf(stderr, "finding symbol kcapi_md_init failed\n");
|
||||
- ret = -EFAULT;
|
||||
- goto out;
|
||||
- }
|
||||
+ memset(selfname, 0, sizeof(selfname));
|
||||
+ sym = dlsym(dl, "kcapi_md_init");
|
||||
+ if (sym == NULL || !dladdr(sym, &info)) {
|
||||
+ fprintf(stderr, "finding symbol kcapi_md_init failed\n");
|
||||
+ ret = -EFAULT;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
|
||||
+ strncpy(selfname, info.dli_fname, (sizeof(selfname) - 1));
|
||||
|
||||
- free(checkfile);
|
||||
- checkfile = get_hmac_file(selfname);
|
||||
- if (!checkfile) {
|
||||
- ret = -ENOMEM;
|
||||
- goto out;
|
||||
- }
|
||||
+ if (mode == SELFCHECK_PRINT_LIB) {
|
||||
+ ret = hash_files(params_lib, names, 1, 0, 1);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (checkfile)
|
||||
+ free(checkfile);
|
||||
+ checkfile = get_hmac_file(selfname);
|
||||
+ if (!checkfile) {
|
||||
+ ret = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
|
||||
+ ret = process_checkfile(params_lib, checkfile, selfname, CHK_STATUS);
|
||||
+ }
|
||||
|
||||
out:
|
||||
if (checkfile)
|
||||
@@ -753,9 +769,9 @@ int main(int argc, char *argv[])
|
||||
int hmac = 0;
|
||||
int fipscheck = 0;
|
||||
int fipshmac = 0;
|
||||
- int print_self_hash = 0;
|
||||
+ int selfcheck_mode = SELFCHECK_CHECK;
|
||||
|
||||
- static const char *opts_short = "c:uh:t:Sqk:K:vbd:P";
|
||||
+ static const char *opts_short = "c:uh:t:SLqk:K:vbd:P";
|
||||
static const struct option opts[] = {
|
||||
{"help", 0, 0, 0},
|
||||
{"tag", 0, 0, 0},
|
||||
@@ -765,6 +781,7 @@ int main(int argc, char *argv[])
|
||||
{"hash", 1, 0, 'h'},
|
||||
{"truncate", 1, 0, 't'},
|
||||
{"self-sum", 0, 0, 'S'},
|
||||
+ {"self-sum-lib", 0, 0, 'L'},
|
||||
{"status", 0, 0, 'q'},
|
||||
{"key-file", 1, 0, 'k'},
|
||||
{"key", 1, 0, 'K'},
|
||||
@@ -932,7 +949,10 @@ int main(int argc, char *argv[])
|
||||
params.hashlen /= 8;
|
||||
break;
|
||||
case 'S':
|
||||
- print_self_hash = 1;
|
||||
+ selfcheck_mode = SELFCHECK_PRINT_SELF;
|
||||
+ break;
|
||||
+ case 'L':
|
||||
+ selfcheck_mode = SELFCHECK_PRINT_LIB;
|
||||
break;
|
||||
case 'q':
|
||||
loglevel = CHK_STATUS;
|
||||
@@ -998,28 +1018,28 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (print_self_hash) {
|
||||
+ if (selfcheck_mode != SELFCHECK_CHECK) {
|
||||
if (checkfile) {
|
||||
- fprintf(stderr, "-S and -c cannot be combined\n");
|
||||
+ fprintf(stderr, "-S/-L and -c cannot be combined\n");
|
||||
ret = 1;
|
||||
goto out;
|
||||
}
|
||||
if (optind != argc) {
|
||||
- fprintf(stderr, "-S cannot be used with input files\n");
|
||||
+ fprintf(stderr, "-S/-L cannot be used with input files\n");
|
||||
ret = 1;
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
/* library self-check must be consistent across apps: */
|
||||
- if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, print_self_hash)) {
|
||||
+ if (fipscheck_self(params_self, &PARAMS_SELF_FIPSCHECK, selfcheck_mode)) {
|
||||
fprintf(stderr, "Integrity check of application %s failed\n",
|
||||
basen);
|
||||
ret = 1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if (print_self_hash) {
|
||||
+ if (selfcheck_mode != SELFCHECK_CHECK) {
|
||||
ret = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
From 7b176840ff60bc596a7c80685ef0a81adbc00e4b Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Thu, 19 Apr 2018 10:39:12 +0200
|
||||
Subject: [PATCH 4/4] Makefile.am: Do not install kcapi-hasher binary
|
||||
|
||||
The kcapi-hasher binary is not usable on its own so it can be removed
|
||||
after hard-linking the actual hasher tools.
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 07e2451..383da75 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -150,6 +150,7 @@ CHECKSUM_CMD_HC = $(OPENSSL) sha512 -r -hmac FIPS-FTW-RHT2009
|
||||
install-exec-hook:
|
||||
(cd $(DESTDIR)$(bindir) && \
|
||||
($(foreach link, $(hasher_links), $(LN) -f kcapi-hasher $(link);)))
|
||||
+ -rm -f $(DESTDIR)$(bindir)/kcapi-hasher
|
||||
if HAVE_OPENSSL
|
||||
(cd $(DESTDIR)$(bindir) && \
|
||||
($(foreach link, $(hasher_links_fc), \
|
@ -0,0 +1,23 @@
|
||||
From f8e032f150522c17094e36dcf62ec3ebc77e69d8 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Mon, 16 Apr 2018 15:39:03 +0200
|
||||
Subject: [PATCH] kcapi-hasher: Fix buffer overrun in get_hmac_file
|
||||
|
||||
We need to allocate space also for the terminating null character...
|
||||
---
|
||||
apps/kcapi-hasher.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/apps/kcapi-hasher.c b/apps/kcapi-hasher.c
|
||||
index 861db79..2b87a45 100644
|
||||
--- a/apps/kcapi-hasher.c
|
||||
+++ b/apps/kcapi-hasher.c
|
||||
@@ -360,7 +360,7 @@ static char *get_hmac_file(const char *filename)
|
||||
fprintf(stderr, "File too long\n");
|
||||
return NULL;
|
||||
}
|
||||
- checkfile = malloc(filelen + prefixlen + 1 + suffixlen);
|
||||
+ checkfile = malloc(filelen + prefixlen + 1 + suffixlen + 1);
|
||||
if (!checkfile)
|
||||
return NULL;
|
||||
|
@ -1,19 +1,13 @@
|
||||
# Shared object version of libkcapi.
|
||||
%global vmajor 1
|
||||
%global vminor 0
|
||||
%global vpatch 3
|
||||
%global vminor 1
|
||||
%global vpatch 0
|
||||
|
||||
# Do we build the replacements packages?
|
||||
%bcond_with replace_coreutils
|
||||
%bcond_with replace_fipscheck
|
||||
%bcond_with replace_hmaccalc
|
||||
|
||||
%if %{with replace_coreutils} || %{with replace_fipscheck} || %{with replace_hmaccalc}
|
||||
%global need_hasher 1
|
||||
%else
|
||||
%global need_hasher 0
|
||||
%endif
|
||||
|
||||
# This package needs at least Linux Kernel v4.10.0.
|
||||
%global min_kernel_ver 4.10.0
|
||||
|
||||
@ -62,6 +56,9 @@
|
||||
%global hmaccalc_evr 0.9.14-10%{?dist}
|
||||
%endif
|
||||
|
||||
%global apps_hmaccalc sha1hmac sha224hmac sha256hmac sha384hmac sha512hmac
|
||||
%global apps_fipscheck sha1sum sha224sum sha256sum sha384sum sha512sum md5sum fipscheck fipshmac
|
||||
|
||||
# Add generation of HMAC checksums of the final stripped
|
||||
# binaries. %%define with lazy globbing is used here
|
||||
# intentionally, because using %%global does not work.
|
||||
@ -69,17 +66,28 @@
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
%{_bindir}/fipshmac %{buildroot}%{_bindir}/* \
|
||||
bin_path=%{buildroot}%{_bindir} \
|
||||
lib_path=%{buildroot}/%{_lib} \
|
||||
for app in %{apps_hmaccalc}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
{ %{_bindir}/sha512hmac "$bin_path"/$app || exit 1; } \\\
|
||||
| cut -f 1 -d ' ' >"$bin_path"/.$app.hmac \
|
||||
done \
|
||||
for app in %{apps_fipscheck}; do \
|
||||
test -e "$bin_path"/$app || continue \
|
||||
%{_bindir}/fipshmac "$bin_path"/$app || exit 1 \
|
||||
done \
|
||||
%{_sbindir}/hardlink -cfv %{buildroot}%{_bindir} \
|
||||
%{_bindir}/fipshmac %{buildroot}/%{_lib}/libkcapi.so.%{version} \
|
||||
%{_bindir}/fipshmac "$lib_path"/libkcapi.so.%{version} \\\
|
||||
|| exit 1 \
|
||||
%{__ln_s} .libkcapi.so.%{version}.hmac \\\
|
||||
%{buildroot}/%{_lib}/.libkcapi.so.%{vmajor}.hmac \
|
||||
"$lib_path"/.libkcapi.so.%{vmajor}.hmac \
|
||||
%{nil}
|
||||
|
||||
|
||||
Name: libkcapi
|
||||
Version: %{vmajor}.%{vminor}.%{vpatch}
|
||||
Release: 10%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: User space interface to the Linux Kernel Crypto API
|
||||
|
||||
License: BSD or GPLv2
|
||||
@ -87,8 +95,9 @@ URL: http://www.chronox.de/%{name}.html
|
||||
Source0: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz
|
||||
Source1: http://www.chronox.de/%{name}/%{name}-%{version}.tar.xz.asc
|
||||
|
||||
Patch0: %{giturl}/compare/v1.0.3...master.patch#/%{name}-1.0.3-to_master.patch
|
||||
Patch1: %{giturl}/pull/48.patch#/%{name}-1.0.3-Makefile_Do_not_clobber_pkgconfig-dir_from_configure.patch
|
||||
Patch0: %{giturl}/pull/52.patch#/%{name}-1.1.0-kcapi-hasher_Fix_buffer_overrun_in_get_hmac_file.patch
|
||||
Patch1: %{giturl}/pull/53.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_always_failing.patch
|
||||
Patch2: %{giturl}/pull/54.patch#/%{name}-1.1.0-kcapi-hasher_Fix_FIPS_self-check_of_the_libkcapi_library.patch
|
||||
|
||||
BuildRequires: clang
|
||||
BuildRequires: coreutils
|
||||
@ -146,19 +155,10 @@ BuildArch: noarch
|
||||
User documentation for %{name}.
|
||||
|
||||
|
||||
%if %{need_hasher}
|
||||
%package hasher
|
||||
Summary: Common utility for replacement packages
|
||||
Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||
|
||||
%description hasher
|
||||
Provides a common binary used by the drop-in %{name} replacements for hashing/HMAC tools.
|
||||
%endif
|
||||
|
||||
%if %{with replace_coreutils}
|
||||
%package checksum
|
||||
Summary: Drop-in replacement for *sum utils provided by the %{name} package
|
||||
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
|
||||
Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||
|
||||
Requires: coreutils%{?_isa} >= %{coreutils_evr}
|
||||
|
||||
@ -173,7 +173,7 @@ Provides drop-in replacements for sha*sum tools (from package coreutils) using %
|
||||
%if %{with replace_fipscheck}
|
||||
%package fipscheck
|
||||
Summary: Drop-in replacements for fipscheck/fipshmac provided by the %{name} package
|
||||
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
|
||||
Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||
|
||||
Obsoletes: fipscheck <= %{fipscheck_evr}
|
||||
|
||||
@ -189,7 +189,7 @@ using %{name}.
|
||||
%if %{with replace_hmaccalc}
|
||||
%package hmaccalc
|
||||
Summary: Drop-in replacements for hmaccalc provided by the %{name} package
|
||||
Requires: %{name}-hasher%{?_isa} == %{version}-%{release}
|
||||
Requires: %{name}%{?_isa} == %{version}-%{release}
|
||||
|
||||
Obsoletes: hmaccalc <= %{hmaccalc_evr}
|
||||
|
||||
@ -277,6 +277,7 @@ EOF
|
||||
--enable-kcapi-test \
|
||||
--enable-shared \
|
||||
--enable-static \
|
||||
--enable-sum-prefix=. \
|
||||
--with-pkgconfigdir=%{_libdir}/pkgconfig
|
||||
%make_build all doc
|
||||
|
||||
@ -299,10 +300,6 @@ EOF
|
||||
%{__cp} -pr lib/doc/html %{buildroot}%{_pkgdocdir}
|
||||
|
||||
# Install replacement tools, if enabled.
|
||||
%if !%{need_hasher}
|
||||
%{__rm} -f %{buildroot}%{_bindir}/kcapi-hasher
|
||||
%endif
|
||||
|
||||
%if !%{with replace_coreutils}
|
||||
%{__rm} -f \
|
||||
%{buildroot}%{_bindir}/md5sum \
|
||||
@ -388,12 +385,6 @@ popd
|
||||
%license %{_datadir}/licenses/%{name}*
|
||||
|
||||
|
||||
%if %{need_hasher}
|
||||
%files hasher
|
||||
%{_bindir}/kcapi-hasher
|
||||
%{_bindir}/.kcapi-hasher.hmac
|
||||
%endif
|
||||
|
||||
%if %{with replace_coreutils}
|
||||
%files checksum
|
||||
%{_bindir}/md5sum
|
||||
@ -420,16 +411,14 @@ popd
|
||||
|
||||
|
||||
%files tools
|
||||
%if %{need_hasher}
|
||||
%exclude %{_bindir}/kcapi-hasher
|
||||
%exclude %{_bindir}/.kcapi-hasher.hmac
|
||||
%endif
|
||||
%{_bindir}/kcapi*
|
||||
%{_bindir}/.kcapi*.hmac
|
||||
%{_mandir}/man1/kcapi*.1.*
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Apr 12 2018 Ondrej Mosnáček <omosnace@redhat.com> - 1.1.0-1
|
||||
- Update to upstream version 1.1.0
|
||||
|
||||
* Sat Mar 31 2018 Björn Esser <besser82@fedoraproject.org> - 1.0.3-10
|
||||
- Replace single patches with a monolitic one from upstream
|
||||
- Obsolete replacements subpackage
|
||||
|
3
sources
3
sources
@ -1 +1,2 @@
|
||||
SHA512 (libkcapi-1.0.3.tar.xz) = 2fe6b4c4129be7c1a9fcfadeaeb7eb9c709bf129574c46014542547787e3b96aadf14a9a17ecadb58968e3e14731f44a9bd20ea47aa3bbc0a3a6327a24a92a65
|
||||
SHA512 (libkcapi-1.1.0.tar.xz) = 8d7a775a7ac3a16e006cc21a40e0dbc2c068879fb277ef7a96f706aa0a822ee6c29dba59e34a42cc2e3da926ee242fb47b6c1486d846d9028d662bc71e8f25fd
|
||||
SHA512 (libkcapi-1.1.0.tar.xz.asc) = f2ecc4bc477231a5f2b91476f4d300be32d796cf5f49b0b89e3f5c5735690fe4b6baec3739aa8df99eaac6eac66a63b23ce25e9b16bec17f8748fcac19843968
|
||||
|
Loading…
Reference in New Issue
Block a user